Skip to content

Set up Mobile ID Manager on premises

As an alterantive to the cloud version of Mobile ID Manager, we offer an on-premises version for you to run in your own data center or a private cloud.

Requirements

  • A container runtime, e.g. Docker.
  • An S3 bucket, e.g. at AWS S3 (alternatively, you can store Mobile ID Manager files in your local file system).

Set up

Run a new container, setting the environment variables and specifying the Mobile ID Manager image as described below.

You need to repeat this for every restart of Mobile ID Manager. After a restart, please reload any open Mobile ID Manager pages in the browser.

Environment variables

Option Default Description
General
BASE_URL   URL of the Mobile ID Manager instance. Must be https and accessible by apps.

You can use http://localhost for testing; however, in this case, activation QR codes in invitations will not work.
--publish=80:80   Ports to which Mobile ID Manager connects. The first number defines the port for external access and can be adjusted as needed. The second number is the port used internally and must remain unchanged.
E-mail settings

Set up an SMTP account to send system e-mails from, e.g. invitations to users of the app.

MAIL_HOSTNAME   SMTP server name
MAIL_SENDER   Sender to display in system e-mails. Can be an e-mail address only, e.g. from@example.com, or an e-mail address prefixed with display name, e.g Mobile ID <from@example.com>.
MAIL_PORT 587 SMTP port
MAIL_SECURITY starttls E-mail encryption. Other values are tls and none.
MAIL_USERNAME   Username for the SMTP account
MAIL_PASSWORD   Password for the SMTP account
Storage in an S3 bucket

Specify an S3 bucket to store the Mobile ID Manager files. The following parameter names are based on the concepts and wording of AWS S3. If you use a different provider, please check which values correspond. For storage in the local file system, see following section.

AWS_ACCESS_KEY_ID   Access key ID (part of AWS access keys)
AWS_SECRET_ACCESS_KEY   Secret access key (part of AWS access keys)
AWS_DEFAULT_REGION   AWS default region
STORAGE_S3_ENDPOINT_URL AWS endpoint URL
STORAGE_S3_BUCKET_NAME   S3 bucket name
Storage in the local file system
--mount=type=bind,src=<local path>,dst=/storage For <local path>, specify an existing local path where you want to save the Mobile ID Manager files.
Additional configuration options
CREDENTIAL_VALIDITY_HOURS 24 Max. offline period for apps and thus max. period in which an app still works after the user has been deleted.

After this period, apps must be online to verify permissions with Mobile ID Manager.
INVITATION_VALIDITY_DAYS 7 Validity of the activation QR code in invitation e-mails
ACCOUNT_VERIFICATION_VALIDITY_DAYS 7 Max. period between admin account registration and activation via initial login
SESSION_TIMEOUT_MINUTES 240 Inactivity period in Mobile ID Manager after which you're automatically logged out
FIREBASE_CERTIFICATE Notifications from Mobile ID Manager to the apps (e.g. if a user is deleted) are by default sent via Google Firebase using BALTECH's certificate. The data we thus have access to is anonymized, i.e. we can see which notification was sent at what time, but not to whom. Learn more about privacy in Mobile ID

You may disable notifications (and thus the use of Google Firebase) altogether by setting FIREBASE_CERTIFICATE= . However, e.g. revoking permissions from the app or updating the ID will take considerably longer: These actions can no longer be actively enforced by Mobile ID Manager, but will only take place when the app contacts Mobile ID Manager once within CREDENTIAL_VALIDITY_HOURS.

Image

Specify the path to the desired Mobile ID Manager image version with the docker run command.

Path Description
ghcr.io/baltech-ag/mobile-id-manager:latest Run the latest version of Mobile ID Manager
ghcr.io/baltech-ag/mobile-id-manager:v1.2.3 Run a specific version of Mobile ID Manager
View version history

Try it with our app note

With our app note, you can quickly set up a Docker container with a demo instance of Mobile ID Manager.

To try the app note:

  1. Install Docker Desktop.
  2. Download the app note and unzip it.
  3. In the hostname.env file, change the HOSTNAME variable to your public IP address or hostname.

    The IP address or hostname must be accessibly by phones running the Mobile ID app.

  4. Run docker-compose --env-file=hostname.env up --build.

  5. Open http://localhost:81 to access all e-mails sent by Mobile ID Manager (e.g. invitations to users of the app).
  6. Open http://localhost in your browser to access Mobile ID Manager.

    You may be warned about a security risk

    This is because this appnote uses a self-signed certificate that your browser doesn't recognize. Accept the warning to proceed.

  7. In Mobile ID Manager, create an admin account and a project.

  8. To stop Mobile ID Manager, press Ctrl+C.

Versions, updates and rollbacks

If you run Mobile ID Manager with a specific version (see Image section above), we highly recommend you regularly update. To get notified about new versions, sign up for our newsletter. Only a couple of times a year, no spam, we promise.

Mobile ID Manager uses semantic versioning, i.e. the version number is composed as follows: MAJOR.MINOR.PATCH This number also indicates if you can roll back to an older version:

  • MAJOR: New features that come with database changes. Rolling back to an older version is not possible.
  • MINOR: New features without database changes. You can roll back to any older minor or patch version.
  • PATCH: Bug fix only. You can roll back to any older minor or patch version.

Third-party-licenses

Third-party licenses for Mobile ID Manager are documented here.

Title